08-27-2016 03:34 PM - edited 03-12-2019 06:07 AM
Hi Guys
If we have a Network policy pushed from Firesight to ASA and it has got a local policy applied on the interface, which would take precedence ?
Also is there any way we could check on the ASA what policy it has received from Firesight ?
Solved! Go to Solution.
08-28-2016 07:50 AM
How are you pushing a policy to the ASA from Firesight?
Do you mean you have a policy pushed to the ASA's FirePOWER service module?
In that case, they are quite separate things. The ASA evaluates ingress and egress interface ACLs when the packet is presented to the interface. The service module evaluates the flow against its policies when it receives the packet from the parent ASA as part of the policy-map.
So it's not one or the other, it's both and the net result is their cumulative policy when applied in series (like a Boolean logical "AND").
See this link for a picture:
https://ccie-or-null.net/2014/12/10/packet-flow-with-firepower/
08-28-2016 02:23 PM
You're welcome.
They are complimentary.
Think of the ASA ACL as your first tool in blocking intruders. Prevent random port scanners and such.
For those incoming connections on legitimate ports that are permitted by an ACL, the FirePOWER module can then do a payload inspection at layer 4+ to check for protocol conformance and malicious content.
Please rate useful replies and mark your question as answered when it has been.
08-28-2016 07:50 AM
How are you pushing a policy to the ASA from Firesight?
Do you mean you have a policy pushed to the ASA's FirePOWER service module?
In that case, they are quite separate things. The ASA evaluates ingress and egress interface ACLs when the packet is presented to the interface. The service module evaluates the flow against its policies when it receives the packet from the parent ASA as part of the policy-map.
So it's not one or the other, it's both and the net result is their cumulative policy when applied in series (like a Boolean logical "AND").
See this link for a picture:
https://ccie-or-null.net/2014/12/10/packet-flow-with-firepower/
08-28-2016 09:40 AM
Marvin
Thank you so much that makes it really clear. One more question just to double check, if we have Firepower Access-control policy we really don't need ASA ACE ? I don't see advantage of filtering something twice ?
08-28-2016 02:23 PM
You're welcome.
They are complimentary.
Think of the ASA ACL as your first tool in blocking intruders. Prevent random port scanners and such.
For those incoming connections on legitimate ports that are permitted by an ACL, the FirePOWER module can then do a payload inspection at layer 4+ to check for protocol conformance and malicious content.
Please rate useful replies and mark your question as answered when it has been.
11-18-2016 10:59 AM
hi i have the similar question about the ACL policy under firesight. How granular does the ACL in the firesight has to be? should i duplicate the exact copy (line by line) of the ACL in the ASA to the firesight?
11-19-2016 03:00 AM
They dont have to be as granular as your asa ACLs. In case you want to block malware / files using File Policy, block URL categories etc you might wanna use a single rule for all your traffic or a more granular one if you want to enable IPS for certain flows.
Discover and save your favorite ideas. Come back to expert answers, step-by-step guides, recent topics, and more.
New here? Get started with these tips. How to use Community New member guide